Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:13:58
Giff (giff@eng.us.uu.net)
Tue, 1 Sep 1998 12:01:52 -0400 (EDT)
On Tue, 1 Sep 1998, Mike Rosing wrote:
> On Mon, 31 Aug 1998, Sandy Harris wrote:
> > For some ciphers, you'd solve for the primary key. For others,
> > you might solve for the round keys. Choose whichever is easier,
> > since both break the cipher.
> [....]
>
> But what if I can come up with a set of equations that ignores
> the key(?!? bad cipher!). In other words, suppose I get a system
> of equations which includes the key bits, cipher text bits and
> plain text bits. Using the system, I eliminate the key bits
> and leave only cipher text and plain text bits. The cipher text
> is input, the plain text is output and we don't need a key.
> That's a seriously broken cipher.
Yes, but you can see this without having to go the very hard route of
writing a large number of equations with a ton of terms. Simply encrypt
various messages with keys that differ by a single bit. If your cipher
doesn't change, that's probably a good indication that there is something
wrong! :)
> I think a good place to start would be Terry Ritter's 4 and 8 bit ciphers.
> He's trying to create systems which can be analyzed and scaled up to
> 128 bits or more and have provable security. With 8 bits, you can write
> out all the equations and have a chance at solving them.
I would also recommend a small Fiestel cipher with a couple of rounds and
try extending the rounds one at a time and watch how quickly the number of
terms grow. Just the managing of that is really cumbersome.
With another food-for-thought item; for a while, I played around with an
alternate representation of DES. The operations used were AND and XOR,
which are done with multiply and addition respectively - both modulo 2.
As it turns out, the modulo 2 can be held off until the end. Each data
line in DES could be represented by an integer. Then it seemed reasonable
to 'plug in the numbers and solve'.
But the really hard part was the indexing into the Sbox. It would be best
to not have to calculate the modulo at every step of the way:
S[3][(x mod 64)] ... That made this method mostly unworkable.
And in yet one more food-for-thought; An S-box can really be thought of as
bit-switching, but in a different representation of numbers.
For example: (2 bit Sbox: [2 3 0 1])
Have four lines 0..3, rearange them into 2,3,0,1. So to put the data
through the Sbox, convert the input data into one of the wires 0..3 being
'ON', the others 'OFF'. Then swap wires and unconvert based on position.
But for DES, the hard part of this design was the representation of the
XOR operations. If there were a simple representation for a cipher in a
single representation, then a solution is probably straightforward. But
if all the good representations require lots of conversions, it will
probably be hard.
In the end though, don't let this stop you from doing some hands-on work
on this. At the very least, you will learn a lot, even if you don't make
a breakthrough. And if you do make a breakthrough...
-Giff
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:13:58